How Dangerous is SQL Injection?

A good tutorial of basic SQL injection (without a tool):

http://www.kalitutorials.net/2014/03/sql-injection-how-it-works.html

manualsqlinjection

Notice the bottom entryuser-id field: ‘ OR 1= 1; /*

and in password field: */–

As it states in the image (from the kalitutorials website) the second statement gives you access to data of all accounts.

 

Why is this? because a 1=1 statement  is “true” and we also have to enter something in the password field.

If the SQL data entry process (or function) does not dismiss this potential entry then there is a possibility that the SQL database response will be with all data or at least all data for the way the SQL function is calling in a specific table.

 

As the website mentions this is basically what the tools are performing in an automated manner, maybe with some variations in entries.

 

Another interesting bit of information are Dorks  (an input query into a search engine(Google for example) which attempt to find websites with certain text included:  inurl:”buy.php?category=”   for example.

dorksearchquery

 

Notice the response UNION ALL SELECT null,null in the search

 

this is how your website can be “found out” by criminal hackers, as they try to find victims of their attacks.

And slowly but surely  they then try to perform more sophisticated attacks using sqlmap and more

http://www.kalitutorials.net/2014/03/hacking-website-with-sqlmap-in-kali.html

With sqlmap you can test the url to inject with a command like

sqlmap -u <URL to inject>

As the hacker starts to map all your data they will get more and more  info that is not really for public consumption (or so it was thought).

 

 

It is not a good idea to give out too much information without knowing any circumstances. As an ethical hacker one needs to have permission to attempt to crack(or hack) a database interface. And if it is giving out too much information then one has to mitigate this situation.

At this point I will leave more sqlmap hacking for a specific pentest situation.

Contact Us to discuss further details.

Training the Next Cybersecurity Professionals

http://www.darkreading.com/operations/educating-the-cyberwarriors-of-the-future/a/d-id/1319590

 

Jeff Shilling opines that we need more experienced people in the Cybersecurity field. As usual the issue is senior-level execs do not fully understand all the ramification differences with

1.  a person with 5+ years experience in IT plus Cyber Security Knowledge   (no university degree)some certifications

or

2. a person with 2 years experience and has all the cyber Security certifications. (plus university degree)

 

His assertion is that the experience trumps the formal education, in fact with someone that came out of college with a degree, usually has 4 years working at the degree, so you add 1 or 2 years in the working world it does seem that a college degree (even in computer science or an engineering degree)  would not give the same outlook on a cyber security job than someone with 5 years in the working world without a 4 year college degree.

 

I think he misses the point that we need someone with experience(2-5 years or more), and a college degree, since the difficulties in today’s cyber security field will not become simpler.

 

There is nothing like being placed in a situation that was not in the books, was not taught by the college instructors, and the person has to figure it out on the job as it comes.

 

certified-ethical-hacker-LogoA Certified ethical Hacker has to have at least 4 years of security experience or have 3 years of security experience plus a college degree.  So the college degree is worth 1 year of experience not 3 or 4.

Another aspect is Cyber Security training for all users:

http://garyleemillner.com/information-security-awareness-or-cybersecurity-training/#sthash.ZZD0J8Vf.dpbs

security-awareness-training  (from garyleemillner.com)

Most people do not understand cyber Security and have had no training.

That makes sense, this is why we have this big problem of phishing and malware downloading. the general understanding of Cyber Security is horrible. Thsi is also why senior execs have such a low understanding of the true problem at hand.

 

Oversitesentry.com and fixvirus.com is trying to change that.  Little by little we are trying to help.

 

Testing Website With Owasp-zap

The Google code website link: https://code.google.com/p/zaproxy/

Here is an interesting bit of info (from the link above):

ZAP came second in the Top Security Tools of 2014 as voted by ToolsWatch.org readers

owaspzapscreenshot

 

Here is a screenshot with my test on my own website – www.fixvirus.com

I clicked on the response tab after Owasp-Zap tries to execute a variety of illegal attempts on my website.

If you have a website and need this done all you need is a copy of Kali-Linux and permission to “attack” the site.

As you can see OWASP runs a variety of GET commands with some attempts at sql injection and more logic testing. It has been shown when you enter “1=1” in a form the system responding may come back with more data then it was supposed to…  why would it do that? Well for some reason the person developing the website code did not do enough security testing.

 

This is why we recommend always to have a seperate entitiy testing your website, especially if it is performing some kind of dynamic code, accesses a database, scripting (javascript), and other .net technologies.

 

This is a basic thing cybersecurity, but we want to review it with all.

 

Running a basic owasp-command is just the beginning…  After a security professional starts with that initial test, depending on the responses further tests may be warranted.

 

 

 

How Can You Test Your Network? Safely-Legally?

Let’s assume that you agree that some sort of testing of your computers/network is required or should be done.

 

How should you test your network?

There are daily scans coming onto all ip addresses on the Internet. This is a fact of life.  What is going on?

We have talked about this before: http://oversitesentry.com/how-many-scans-are-attacking-the-internet/

{Most interesting is work on detecting how many scans there were in the Internet on January 2014.

10.8 million scans from 1.76 million hosts

4.5 million (41.7%)scans attributable to the conficker worm TCP-SYN port 445}

scansby port

 

(I would not assume this type of traffic has slowed down in a year and couple of months)

So we know the hacker is scanning … somewhere and for some reason.

Let’s assume they have a hack-attack they want to perform, so they may be scanning for systems that would be susceptible for this hack-attack.  This is why it is important to keep up on the latest Security-news

And don’t just get your news from 1-3 sources.  It is good to get news from many sources, sift through the noise and then act.

The hackers are always looking to make money or obtain their political goals, end result is that they own your machine or in the hacker language: Pwn your machine.

pwnexplanationpwn: to conquer and gain ownership.

 

I realize we do not care to do any scanning and general security, but the hacker does their thing to Pwn you don’t mistake their concerted effort with your unknowing or lack of attention.

 

So the key is how should we scan the Internet facing systems? or internal systems?

 

The external systems will face external type attacks, since there is no firewall defending (unless you have an external proxy system, but then the proxy system is bare on the Internet)  Some system somewhere will be bare on the Internet. The firewall itself, some email server, or a webserver will be “bare” on the Internet.

we should want to test and scan the bare systems, and scan the systems that are supposed to be filtered.

Second we need to scan our internal systems… Why? because if an internal system is hacked it will try to hack other systems (disseminating malware).

The reason to scan internal systems is to make sure if some system did somehow get infected it will not infect other machines.

 

So what about the details? How exactly to test? this depends on your network and machines, so at this time I don’t want to get into details, instead give a general nature of how scans would work:

 

We test and audit your environment to make you safer    (A – Σ – Ω).

 

How much should I spend on Cybersecurity?

I want to discuss 2 articles and then answer the question on the title.

http://www.theguardian.com/small-business-network/2015/mar/24/hackers-cyberwar-businesses-cybercrime

{Hackers are winning the cyberwar and businesses are all too often simply hoping for the best, according to many security experts. }

anonymousgreenscreenqz.com

Cost of Cybercrime in UK is £18-27bn … supposedly.  This could actually be low, since many people do not discuss cybercrime. But if people are not discussing this crime because of embarrassment or other reasons (PR), then how can we actually tell what is really happening?

What can we actually attribute to real cybercime?

{He also alleges that some financial institutions have been compromised and have lost millions, but have kept this information under wraps. “In the past 10 years there has been at least one UK-based building society, which no longer exists, which lost about £50m to what was called a ghost transaction.}

There is very little hard data. and some cyber crime is attributed to potential IP crime (Intellectual Property)

The biggest threat is from organised gangs looking to steal data and IP from companies, which they can then exploit on the black market. The hackers are typically based overseas where authorities are less effective at preventing them.

Then I am revisiting my old post of http://oversitesentry.com/the-psychology-of-security/

Humanity is risk averse when it comes to gains and risk seeking when it comes to losses.

“Security is a tradeoff,” Schneier said, speaking to a packed audience at his RSA session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”

 

This is a very important concept to understand:

Humanity is risk averse when it comes to gains – the masses as a whole are risk averse if a choice of higher risk with higher gains versus lower risk and lower gains. we move to the lower risk choice.

Risk seeking when it comes to losses.  (even to the point of most people do not wear bullet proof vests, including police officers)  This means that when one has a choice of an action where one choice is to spend money and potentially lose something or spend less money and potentially lose more we will choose the 2nd one more often.

So coming back to the question:   How much should we spend on cybersecurity?

I can’t really say “we” now, because as a cyber security professional I will spend more on it then you will, since I can’t get hacked period. I will spend whatever time and resources necessary so that my computers and websites are not hacked.

You or your peers do not fear or understand the true nature of the cyber challenges that we have. So my question is this:

How much should a non-IT pro spend on cybersecurity?

 

For me to answer this correctly, I want to go back to the regular world and spend a little time in stating how much we spend on physical security. For one, we spend a certain dollar amount on our physical locks and key systems. For computer rooms we spend money on keycards and security people watching cameras.  So obviously a camera and the labor for the security person is reasonable even in areas where there is little if any crime.

Why hire security people, buy security cameras, biometric security devices… Etc? Will they be truly used once or twice to catch an actual criminal? Or is it part of the feeling of security that one wants for computer systems in a computer room?

biodevice2image from bioenabletech.com

 

biometricdevice  image from biometricdevices.blogspot.com

 

Biometric devices cost from $100 to $2000 and they have to integrate within a security system hardware/software combinations, so the cost will likely rise to several thousand dollars up to $10,000 with installation and training, but the reality is that an actual criminal will likely not attempt a physical attack on a computer room.

So should we make a comparison of potential security risks?

How accurate will the cybersecurity risk assessment be?  On top of all of this the only real statistic is whether one gets breached or not.

The reason everyone is getting hacked is that no one sees anybody actually get breached except for the well publicized attacks. So no matter what I would conjecture here, your perception is what matters.

 

And now we get back to the psychology of humanity with risk seeking when it comes to losses. So the reality is you will discount the scares and potential security problems and take a chance if you think there is higher risk in doing nothing.

Now we know why most businesses will get hacked period.  You have to go against the psychological grain to spend more money on security.

Contact us to help you decide.